{% extends "xss/base.html" %}

{# subtopic_name should match string in nav.html #}
{% set subtopic_name = 'No Escaping' %}

{% block content %}

<p>The exercises on this page are rule-by-rule examples from the 
<a href="http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS (Cross Site Scripting) Prevention Cheat Sheet</a>.
The forms on this page have no validation or escaping. This exemplifies what can happen when proper security controls are not in place.</p>

<p>PLEASE NOTE: Not all of these injections will work in all browsers. For example, Firefox does not support xss:expression javascript in style tags.</p>

<p><span style="color:red;"><b>WARNING:</b></span> Some of these examples may cause seemingly infinite alert() messages in your browser!<br>
Save all work and bookmark any open tabs you want to keep in the event you must force kill your browser.<br>
In particular, the xss:expression examples will cause infinite alert() messages on Internet Explorer 8.<br></p>

<form name="form" method="POST">

{{ render_form(xss_rules) }}

</form>

{% endblock content %}
